A new phishing campaign has been discovered that uses the Microsoft Sway file sharing service in a three-stage attack to steal the Office 365 credentials of high-level executives.Group IB experts identified the campaign and labelled it it PerSwaysion, although versions of the attack have been identified that have used OneNote and SharePoint. The campaign is highly focused and has been conducted on high-level executives at more than 150 firms. The individuals behind the campaign are believed to be based in Nigeria and South Africa, with the earliest traces of the attacks indicating the campaign has been operational since around the middle of last year.

The PerSwaysion attack begins with a spear phishing email sent to an executive in the targeted group. The phishing emails include a PDF file attachment with no malicious code embedded. The PDF file just includes a link that the user is must click to view the content of the file. The link brings the user to file on a Microsoft Sway page, which also requires them to click a link to view the content. Microsoft Sway allows the previewing of the document and shows the content without the user having to open the document. The document states the name of the sender – a known contact – and that individual’s email address with the message that a file has been shared for review and also a hyperlink with the text ‘Read Now’. Clicking the link directs the user to a phishing page with an Office 365 Single Sign-on login prompt.

The initial PDF file, Microsoft Sway page, and the login prompt on the phishing page all have Microsoft Office 365 logos, and it is easy to see how many victims would be fooled into sharing their credentials.

Once credentials have been gathered, they are used the same day to access the Office 365 account, email data is copied from the account, and it is then used to broadcast further spear phishing emails to individuals in the victim’s contact list. The sent emails are then erased from the victim’s sent folder to ensure the attack is not discovered by the victim.

The emails include the sender’s name in the subject line, and since they have not been sent from the account of a known contact, they are more likely to be clicked on. The lure used is simple yet successful, asking the recipient to open and review the shared document.

Many of the attacks have been targeted on individuals at companies in the financial services sector, although law firms and real estate companies have also fallen victim. Most attacks have been conducted in the United States and Canada, United Kingdom, Netherlands, Germany, Singapore, and Hong Kong.

It is possible that the cybercriminals are still accessing the compromised emails accounts to take sensitive data. Since the campaign targets high level executives, the email accounts are likely to include valuable intellectual property. They could also be used for BEC scams to fool employees into completing fraudulent wire transfers.